Preparing for a CMS Network Adequacy Audit: What to Expect and How to Get Ready

What Triggers a CMS Network Adequacy Audit

Network adequacy audits don't arrive at random. CMS targets plans for audit review based on a defined set of risk signals that surface through its normal oversight activities. Understanding those triggers is the first step in building a defensible posture.

The most common triggers include: gap notices that went unresolved or received weak corrective action responses during prior benefit years; member complaints logged through 1-800-MEDICARE or the Complaint Tracking Module that cite access-to-care issues; bid review flags where CMS analysts identified inconsistencies between a plan's network documentation and its submitted provider data; and random selection as part of CMS's annual program oversight cycle. Plans with recent enrollment limitations — particularly those imposed as part of a prior corrective action — are disproportionately selected for follow-up audits.

CMS also targets plans that show a pattern of exception-heavy submissions. Filing exceptions in the same county and specialty category for two or more consecutive benefit years is a documented risk signal in CMS's audit prioritization framework.

Types of Audit Activities: Desk Review vs. On-Site

CMS conducts network adequacy audits in two primary formats, and the format shapes how your team should prepare.

A desk review is the more common format. CMS sends a data request letter with a 30-day response window and asks the plan to submit a defined package of documentation: provider roster exports, credentialing status records, adequacy calculation outputs, exception filing documentation, and prior gap notice correspondence. Desk reviews are often conducted by CMS contractors rather than CMS staff directly, and the outputs feed into a formal audit finding report.

On-site audits are less common but more intensive. CMS audit teams — or contracted audit firms — visit plan facilities and interview network operations staff. On-site audits are typically reserved for plans with significant prior compliance history, plans under active corrective action plans, or plans selected as part of CMS's annual Program Audit cycle (which covers network adequacy as one of six audit universes). On-site audits may include credentialing file reviews, interviews with network operations leadership, and testing of provider directory accuracy through call-out protocols.

A third audit format — the targeted comprehensive audit — combines desk review elements with expanded data requests that cover multiple years of network history. These are typically triggered by pattern findings rather than single-year deficiencies.

What CMS Reviewers Examine

Regardless of audit format, CMS reviewers focus on five core documentation categories during a network adequacy audit.

First, provider roster accuracy. Reviewers examine whether the providers claimed in your adequacy calculation are actually contracted, active, and available to serve members. This means cross-referencing your HPMS submission against your executed contract records and your credentialing files. Providers that appear in your adequacy model but whose contracts have lapsed, who have not cleared credentialing, or who are no longer actively seeing patients will generate findings.

Second, credentialing records. CMS expects that every provider counted toward adequacy has a complete, current credentialing file. Reviewers will pull a sample of providers from your roster and request their credentialing documentation — primary source verifications, license status, DEA if applicable, malpractice coverage, and board certification where claimed. Files that are expired, incomplete, or missing required verifications generate credentialing deficiency findings that can cascade into adequacy findings.

Third, adequacy calculation methodology. CMS reviewers want to understand how you calculated your adequacy percentages — specifically, which providers were included, what geographic data was used, and how the time-and-distance thresholds were applied. Inconsistencies between your methodology and CMS's HPMS adequacy tool outputs are a frequent finding category.

Fourth, exception documentation. Where exceptions were filed, reviewers examine whether the exception rationale is complete and whether the outreach documentation demonstrates good-faith recruitment efforts. Exception files that lack dated outreach logs, recruiter contact records, or provider response documentation are treated as insufficient.

Fifth, prior gap notice responses. If CMS issued gap notices in prior benefit years, reviewers will examine whether your corrective action responses addressed the gaps and whether the gaps closed. Plans that filed corrective action commitments they did not execute on are at significant risk.

Pre-Audit Preparation Checklist

The plans that navigate network adequacy audits most successfully treat audit preparation as a year-round discipline rather than a response to an incoming audit letter. The following checklist reflects the documentation standards that consistently satisfy CMS reviewer expectations.

Provider roster accuracy: Conduct a quarterly reconciliation of your network provider roster against executed contract records. Verify that every provider listed in your HPMS adequacy submission has an active, executed participating provider agreement. Flag any providers whose contracts are within 60 days of expiration and initiate renewal before the contract lapses.

Credentialing currency: Maintain a credentialing expiration tracker keyed to your adequacy model. Providers whose credentialing is within 90 days of expiration should trigger a re-credentialing workflow. Never count a provider toward adequacy whose credentialing file is in expired or pending status.

Exception file completeness: For every county-specialty exception in your current or prior submissions, maintain a complete exception package that includes: the exception rationale narrative, a dated recruiter outreach log with contact attempts, provider response records where available, and a status update showing whether the gap is resolved or ongoing. Exception files should be stored in a format that allows rapid export in response to a data request.

Gap notice responses: Maintain an indexed archive of every CMS gap notice received and every corrective action response submitted. Include the timeline of corrective actions, the providers recruited in response, and documentation of whether the gap closed.

The 30-Day Response Window

When CMS sends an audit data request letter, the standard response window is 30 calendar days. This is a hard deadline — CMS does not routinely grant extensions, and late responses are treated as audit deficiencies in themselves.

The 30-day window creates a significant operational challenge for plans that maintain their network documentation in disorganized or siloed systems. Assembling a complete provider roster, credentialing file samples, adequacy calculation outputs, and exception documentation in 30 days requires that all of this documentation be accessible in a structured, exportable format before the letter arrives.

Plans that respond well to audit data requests typically have a designated audit response coordinator, a pre-built data request response template, and a clear protocol for pulling credentialing files from their credentialing system of record on short notice. Building these capabilities before an audit arrives is the single most effective preparation investment a network ops team can make.

Adverse Audit Findings: What Happens Next

If CMS identifies deficiencies in your network adequacy audit, the consequences escalate based on the severity and breadth of the findings.

For minor deficiencies — isolated credentialing documentation gaps or methodology inconsistencies without underlying adequacy failures — CMS typically issues a finding letter and requires a corrective action plan (CAP) response within 45 days. The CAP must describe the specific corrective actions the plan will take, the timeline for completion, and the monitoring process the plan will implement to prevent recurrence.

For material deficiencies — inadequate provider access in one or more specialty categories, widespread credentialing failures, or inadequate exception documentation covering a significant portion of the service area — CMS may impose enrollment limitations. Under an enrollment limitation, the plan cannot accept new enrollments in the affected service area until the deficiency is corrected and CMS verifies remediation.

For the most serious findings — patterns of non-compliance, repeated failures to respond to gap notices, or evidence of deliberate misrepresentation in adequacy submissions — CMS may impose Civil Monetary Penalties (CMPs). CMP amounts for network adequacy violations can reach $25,000 per member affected per day of non-compliance, and the enforcement authority has been used with increasing frequency in recent program audit cycles.

Organizing Network Documentation for Year-Round Audit Readiness

The highest-performing network ops teams organize their documentation around audit readiness as a permanent operating standard, not an annual fire drill. This means maintaining documentation in a centralized, searchable system where provider contracts, credentialing records, exception files, and gap notice correspondence are linked to specific providers and counties.

At minimum, a year-round audit-ready documentation posture includes: a contract management system that tracks contract status and expiration by provider; a credentialing system that tracks file currency and flags expiring files; a structured exception management workflow that maintains exception rationale and outreach logs; and an indexed archive of all CMS correspondence and plan responses.

Plans that use technology to automate these tracking functions — rather than relying on manual spreadsheets — respond to data requests significantly faster and with fewer documentation gaps. The organizational investment in documentation infrastructure is one of the clearest differentiators between plans with clean audit histories and those with recurring compliance exposure.

Network Adequacy Audits vs. General CMS Plan Performance Audits

It is worth distinguishing between a targeted network adequacy audit — the subject of this article — and a general CMS Plan Performance Audit (formerly called a CPSA). The general program audit covers six universe areas: appeals and grievances, organization determinations, clinical and coordination of care, Part D formulary and benefit administration, compliance program effectiveness, and network adequacy. Network adequacy is one component of the broader program audit, not a standalone exercise.

A targeted network adequacy audit, by contrast, focuses exclusively on provider network documentation and adequacy calculation accuracy. It is narrower in scope but deeper in its examination of network-specific records. Plans selected for both a general program audit and a targeted network adequacy audit in the same cycle will face a compounded documentation burden — another reason why year-round audit readiness is more sustainable than reactive preparation.